[Standards] securing in-band registration

Peter Saint-Andre stpeter at jabber.org
Wed Jul 18 22:34:31 UTC 2007


Back in January Ian Paterson argued that we need to make in-band
registration more secure:

http://mail.jabber.org/pipermail/standards/2007-January/013563.html

And I agree:

http://mail.jabber.org/pipermail/standards/2007-January/013566.html

Ian recently brought up the issue again on the Council list:

http://mail.jabber.org/pipermail/council/2007-July/002161.html

So yes we need to better secure how we do in-band registration with
servers (I care less about registration with services like MUC rooms and
transports). Right now it is way too easy to create a botnet that
registers lots of new users at various open servers and then starts
spamming existing Jabber users.

Part of the solution is requiring x:data forms for registration. Yes, as
Matthias pointed out this will make life difficult for existing clients.
So we need to define a transition strategy. Clearly define how the
x:data-only registration works and set some goals for deprecating the
old way of doing things.

Part of the solution is also XEP-0158:

http://www.xmpp.org/extensions/xep-0158.html

If we support media-in-forms (e.g. CAPTCHAs) we may have even stronger
weapons. See XEP-0221 for the media element definition (recently moved
from XEP-0158).

Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7354 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20070718/54493482/attachment.bin>


More information about the Standards mailing list